You mean to suggest that we should store the session details in form data?
I mean to suggest that trying to do good authentication with cookies or URL frobs is a difficult, ugly problem. Though I have seen one approach that essentially encoded Kerberos tickets in cookies that seemed to me to have potential, but that still wouldn't solve the problem for sites/proxies that thwart cookies. I think putting such frobs in URLs would make the URLs too long.
Well... how do I, then, validate whether a valid session (authenticated session) exists or not if I have to access resources other than forms - like movie file, pdf, doc etc!
As you say, cookies are sometimes disabled (and for good reasons), how do I track the session for non-form resources/files?
And it also means that I cannot simply move from one page to another - if I'm putting validation data as form data, each link must be a form-submit link with some option.
How far can this be justified?
Just because http exists does not mean it is a good tool for everything you might want to do over a network.
Keith
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf